Risk-Based Audit Best Practices

The
aim of the risk assessment auditing standards was to improve the
quality and effectiveness of audits by substantially changing audit
practice. Statements on Auditing Standards nos. 104–111 provide
increased rigor to the audit process in a number of key areas
including the assessments of inherent and control risks and the
linking of these risk assessments to further audit procedures.

This
year marks the third anniversary of the standards’ effective date.
Across the profession much progress has been made toward the
ultimate goal of a more reliable audit process, but even more is
possible as we continue to learn about the standards’ practical application.

This
article captures some of the most important lessons learned and best
practices that have emerged during the extended implementation of
the risk assessment standards (see sidebar, “Methodology Behind
Application Suggestions,” at bottom of page).

IMPLEMENTATION
ISSUE NO. 1: EVALUATING INTERNAL CONTROL

Previous
auditing standards allowed auditors, at their discretion, to simply
designate the client’s internal control as a high risk, which
allowed them to greatly reduce the effort required to understand and
document internal control.

The
risk assessment standards prohibit the auditor from “defaulting to
the maximum” control risk. On all audits the auditor should
evaluate the design and implementation of internal control to
properly identify and assess risk.

Implementing
and applying this standard in practice has proven to be a challenge
for many firms, which have difficulty linking their internal control
work to the substantive procedures and other aspects of the
engagement, finding sufficient benefit to justify the increased
audit costs that result from the stricter standard and determining
how to evaluate the effectiveness of internal control design.

APPLICATION
SUGGESTION: FOLLOW THE COSO PROCESS

Karen
Kerber, a shareholder with Kerber, Rose & Associates, sums up
the fundamental dilemma her firm’s auditors face. “Our staff
struggles with understanding how internal control is relevant,” she
says. “They need to relate it to something.”

The
secret is for the auditor to gain a deeper understanding of the COSO
integrated framework of internal control, according to Charles
Landes, AICPA vice president–Professional Standards and Services.
“COSO addresses the issues faced by Karen and the staff at many
other firms because it relates internal control to the financial
statements,” he says.

To
apply what Landes refers to as “the COSO process,” the auditor
starts at the highest level of aggregation, the financial
statements. The auditor then proceeds through a sequence of analyses
that become increasingly granular until he or she ultimately
assesses individual control activities (see Exhibit 1).

UNDERSTANDING
THE COSO PROCESS

The
auditor starts with the financial statements at the “top” of the
diagram and works “down” to the individual controls. The first step
is to identify the material accounts and significant classes of
transactions and the relevant assertions related to those accounts.

Risk
of material misstatement—“what can go wrong?”—is the flip side of
the assertion. For example, the “what can go wrong?” related to the
completeness assertion is that one or more valid transactions are
not recorded in the system. Identifying what can go wrong allows the
auditor to understand control objectives, for example, “to ensure
that all valid transactions are recorded.”

The
auditor then identifies those controls that meet the stated control
objective. In this way, there is an unbroken link between the
financial statements and internal control, and the auditor can
easily understand the effect that a particular control activity can
have on an amount reported in the financial statements.

APPLICATION
SUGGESTION: USE A TOP-DOWN APPROACH TO SET THE SCOPE OF YOUR
INTERNAL CONTROL WORK

Audit
methodologies built around the top-down COSO process have proven
highly efficient because they allow the auditor to properly scope
the internal control test work to include only the controls relevant
to the audit.

Rather
than gaining an understanding of all controls used by the
client, the top-down approach drives the auditor to progressively
eliminate from consideration controls related to immaterial accounts
and transactions, controls related to nonrelevant assertions, and
controls that are overly redundant.

The
result is a tightly focused population of controls for the auditor
to understand, assess and document, which allows the audit to be as
efficient as possible.

APPLICATION
SUGGESTION: FOCUS ON INTERNAL CONTROL OBJECTIVES TO ASSESS CONTROL DESIGN

Prior
to the risk assessment standards, there was no explicit requirement
for auditors to evaluate the design of their client’s internal
control, and consequently, most auditors merely documented their
understanding of how the control operated without judging whether
the control was properly designed. The requirement in the risk
assessment standards to evaluate control design has been difficult
for some auditors.

Firms
that have rigorously applied the COSO process in their audit
methodology have been able to perform a meaningful evaluation of
internal control design, which ultimately improves audit quality.

As
shown in Exhibit
1, the COSO process requires the auditor to define relevant
control objectives and then determine the control activities or
combination of control activities that meet the objective. A control
system that meets the stated control objectives is designed
effectively. A system that leaves important control objectives unmet
is ineffective. Identifying these control weaknesses allows the
auditor to better assess risks and respond by designing the right
mix of further audit procedures.

Most
auditors understood that the risk assessment standards would require
them to perform more audit procedures than in the past, and they
were prepared to incur significantly higher costs during the first
year of implementation. The expectation was that in subsequent
years, costs would decline because auditors would leverage their
knowledge of the client obtained in prior audits. In practice,
realizing these savings has been difficult as auditors have
struggled to determine the nature and extent of the procedures they
should perform on an ongoing basis.

APPLICATION
SUGGESTION: IDENTIFY AND EVALUATE CHANGE

For
years, auditors have fought a SALY mentality, the tendency to
implicitly assume that everything on the audit is “Same As Last
Year,” an assumption that invariably leads to diminished audit
quality. The risk assessment standards give audit firms an
opportunity to eliminate the SALY mindset by reframing the issue.
Instead of considering how to “update” last year’s audit, start with
the premise that something has changed, and the first priority of
the current year’s audit is to identify those changes and determine
their effect on risk by asking questions such as:

What
has changed at the entity and in its operating
environment since our last audit?

As a
result of these changes, how have inherent risks at the client
changed since our last audit?

Were
changes to internal control necessary to address these
changes to inherent risk?

Only
after the auditor has adequately answered these questions will he or
she be able to determine the nature and extent of additional risk
assessment procedures.

The
blue diamonds describe the key audit judgments that should be
made in the current year.

The
blue rectangles summarize the risk assessment procedures that
should be performed in the current year.

The
green ovals summarize the knowledge that is carried forward from
prior-year audits and how it factors into current-year audit judgments.

Read
this decision tree from top to bottom:

Begin
by considering the nature of the changes to the entity and its
environment since the previous audit. It is key to ask whether
those changes have resulted in changes to inherent risks. For
example, the current recession may create inherent risks for
your client that were not present before the economic
downturn.

If
inherent risks are unchanged, (and assuming that the prior
year’s controls were effectively designed and implemented) the
auditor will need to verify the implementation of controls to
determine whether there have been any changes in their design or
implementation.

If
changes in the entity or its environment create new or modified
inherent risks, then the auditor will need to determine whether
changes in internal control were necessary to address those new
risks. For example, the recession may create risks related to
asset valuation that were not material in the past. In prior
years, the client did very little to evaluate asset impairment.
But in the current environment, the auditor should determine
whether the client has changed its control procedures in
response to the heightened level of risk.

The
bottom of the diagram describes three possible scenarios:

If
the controls in place during the prior year would have been
effective in addressing the current year’s risks and the auditor
has determined that there have been no changes to those
controls, then the auditor is prepared to assess the risk of
material misstatement.

If
the prior year’s controls would have been effective in
addressing the current year’s risks but the auditor discovers
that the design or implementation of those controls has changed,
then the auditor will need to assess the design of those new
controls before assessing the risk of material
misstatement.

For
all new or significantly changed inherent risks that could not
be effectively addressed by the prior year’s controls, the
process will be similar to that undertaken in the initial
implementation. The auditor will have to perform risk assessment
procedures to gain an understanding of the design and
implementation of controls to serve as a basis for assessing
risk of material misstatement.

IMPLEMENTATION
ISSUE NO. 3: ONGOING IMPLEMENTATION

The
sweeping scope of the risk assessment standards made it difficult
for even the most resource-rich audit firms to optimize
implementation of the standards. Most firms continue to refine their
audit approaches and set firm policy to deal with issues that arise
as a result of applying the standards.

The
ongoing implementation issues for audits of smaller businesses will
require even more attention. Audits of smaller, less complex
businesses pose many challenges that may not exist in audits of
larger clients. For example, auditors of smaller, less complex
businesses frequently encounter:

Less
sophisticated or formal internal controls characterized by
minimal documentation, lack of segregation of duties, and an
overall lack of in-house accounting expertise.

The
need to adapt standardized audit practice aids developed for
audits of larger entities to the conditions that exist on an
audit of a smaller, less complex business.

APPLICATION
SUGGESTION: “OWN” YOUR METHODOLOGY

Most
firms build their audit methodologies around a set of standardized
practice aids. These forms and checklists help auditors comply with
the requirements of the standards, but they should not be confused
with the standards themselves. An auditor can comply with the
standards and prepare audit documentation in many ways.

“Forms
and guidance only cover a percentage (hopefully high) of the
requirements,” says Lyn Graham, chair of the AICPA task force that
drafted the risk assessment audit guide. “They should not be a
substitute for training or understanding or consulting the
literature for unusual situations. From what I have seen, one needs
to deviate (probably more often than auditors would like to) from
the forms to comply with GAAS.”

Once
thought to be the purview of only the largest firms, growing numbers
of audit firms are developing a more customized, firm-specific set
of audit practice aids by creating their own forms or checklists for
highly judgmental areas such as the documentation of internal controls.

“We
wanted a workpaper set that we could continue to build on and
customize,” says Andrew Prather, shareholder at Clark Nuber. “For
example, we work with a lot of not-for-profit organizations, so we
wanted a format that would allow us to build a library of templates
specific to our clients.”

Like
many firms, Averett, Warmus, Durkee (AWD) formed a committee of five
to six experienced auditors to evaluate the requirements of the
standards and develop a firm-specific set of practice aids. “We did
the project during our slower time in the summer and fall and did
some practice runs with clients in different industries to work out
some of the kinks,” said AWD audit partner Lena Combs. “We made some
templates from these trials and made some samples, too, including a
sample audit binder, and then we held in-house CPE to train everyone
on how we were going to implement the standards. It saved us time
when busy season hit.”

When
asked whether she was concerned that the firm’s peer reviewers would
take exception to some of their practice aids, Combs was confident
that the AWD methodology would not be found lacking. “I have no
doubts that peer review will pass with little disruption.”

It’s
not just about the forms—there is tremendous value in the process
itself. To create practice aids, firm personnel must obtain an
in-depth understanding of the requirements of the standards and how
they should be applied. This technical expertise becomes invaluable
not only for performing audits but also for other critical
activities such as training. Firms that make the commitment to “own”
their audit methodology do so with the expectation that ultimately
it will lead to more effective and efficient audits.

APPLICATION
SUGGESTION: EARLY PARTNER INVOLVEMENT ON AUDITS OF SMALLER, LESS
COMPLEX BUSINESSES

The
unique demands of an audit of a smaller, less complex business
typically require significant involvement of the most experienced
auditors during the audit planning process. More experienced
auditors will be able to make important judgments about audit
strategy, including:

The
nature, timing and extent of risk assessment procedures designed
to gather information about the client and its
environment.

The
assessment of risks of material misstatement.

The
nature and extent of the auditor’s documentation of assessed
risks.

The
nature and extent of the documentation of the client’s internal
control.

The
choice of further audit procedures that are clearly linked to
assessed risks.

The
allocation of audit resources to those areas of the audit that
present the most risk.

The
significant involvement of the most experienced auditors early in
the audit process should improve both audit quality and efficiency.

Methodology Behind Application Suggestions

During
the summer of 2009, the AICPA significantly revised the audit
guide that was originally published concurrently with the risk
assessment standards. To make these revisions, the Audit and
Accounting Publications team formed an online, collaborative
work group of more than 50 auditors who worked to identify and
discuss technical issues, provide suggestions and vet new
content.

The
issues and suggestions described in this article were generated
from the input received from this online working group. The
revised audit guide, Assessing and Responding to Audit Risk
in a Financial Statement Audit—AICPA Audit Guide, Revised
Edition as of Oct. 1, 2009 (#012459), will be available January
2010 at cpa2biz.com.

EXECUTIVE SUMMARY

On
all audits the auditor must evaluate the design and
implementation of internal control to properly identify and
assess risk. Implementing
and applying this standard in practice has proven to be a
challenge for many firms.

The
key to implementing the internal control evaluation
requirement is “the COSO process.” The
auditor starts at the highest level of aggregation, the
financial statements, then proceeds through a sequence of
analyses that grow increasingly granular until the auditor
ultimately assesses individual control activities.

Auditors
have struggled to determine the nature and extent of
the procedures they should perform on an ongoing basis. Instead
of considering how to update the prior year’s audit, make
identifying changes in the organization your first
priority.

The
broad scope of the risk assessment standards made
it difficult for audit firms to optimize implementation of the
standards by developing firm policies and practice aids. The
temptation is to use policies and practice aids developed by
others, but by developing and owning their own approach, firms
gain more in-depth knowledge of the standards and of their
clients’ businesses that will help them truly optimize processes
and maintain quality.

To
access courses, go to aicpalearning.organd click on “On-Site Training” then search by “Acronym
Index.” If you need assistance, please contact a training
representative at 800-634-6780 (option 1).

IT
Center and CITP credential

The
Information Technology (IT) Center provides a venue for CPAs,
their clients, employers and customers to research, monitor,
assess, educate and communicate the impact of technology
developments on business solutions. Visit the IT Center at aicpa.org/INFOTECH. Members
who want to maximize information technology to increase
efficiency and boost profits may be interested in joining the IT
Member Section or pursuing the Certified Information Technology
Professional (CITP) credential. For more information about the
IT Member Section or the CITP credential, visit aicpa.org/IToffers.

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.